Hackers made over $1.5m with new Android banking malware that turns into ransomware

A new Android banking malware dubbed LokiBot comes with some ransomware capabilities and is being sold on the dark web for $2,000 worth of Bitcoins.

Although LokiBot functions primarily as a banking Trojan, it can turn into a ransomware if attempts are made to disable the malware's admin rights or when victims try to remove it. Once the ransomware feature is activated, LokiBot encrypts all of the victims' data.

The malware is also capable of stealing victims' contacts, reading and sending SMS messages and locking out users from accessing their phones. LokiBot's main attack vector involves phishing overlays on numerous banking apps. However, the malware also targets several popular apps such as WhatsApp, Skype and Outlook. According to security experts at SyfLabs, who spotted the new Android malware, the cybercriminals behind LokiBot have already raked in over $1.5m in Bitcoins.

"It is very unlikely that the actors behind Android LokiBot have gained this amount of money using only LokiBot since the requested fee for ransomware is between $70 and $100 and the bot counts in the various campaigns we have seen is usually around 1000," researchers said in a blog.

LokiBot also comes with some unique features, such as starting the browser app and opening up a specific webpage, automatically replying to SMS messages, starting the victims' bank app, as well as sending out fake notifications, purporting to be from legitimate apps. "The phishing notifications use the original icon of the application they try to impersonate. In addition, the phone is made to vibrate right before the notification is shown so the victim will take notice of it. When the notification is tapped it will trigger an overlay attack," SyfLabs researchers said.

Fortunately, LokiBot's primary attack vector doesn't involve its ransomware capabilities. The SyfLabs researchers also say that the encryption function of the ransomware feature "utterly fails" since encrypted data is actually only renamed. In other words, victims don't actually lose their data. Unfortunately, however, the malware still manages to activate its screen locker feature to lock out victims from their phones.

"A threat is then shown on the screen: "Your phone is locked for viewing child pornography." The payment amount varies between $70 and $100. The Bitcoin addresses of LokiBot are hardcoded in the APK and can't be updated from C2 server," the researchers said.

LokiBot's operators appear to be continually updating the malware, especially its security detection features, which although not very advanced, are more extensive than those used by other banking malware variants in the wild. "Since early this summer we have seen at least 30 to 40 samples with bot counts varying between 100 and 2,000 bots. We believe that the actors behind LokiBot are successful, based on their BTC traffic and regular bot updates," the researchers added. "In fact, we have seen new features emerge in the bot almost every week which shows that LokiBot is becoming a strong Android trojan, targeting many banks and popular apps."